Delivery-service tenancy based access control - DNSSEC and SSL Keys

We have recently added "tenancy" to the project.
With tenancy, every resource have a tenant, where resource can be a delivery-service, a server (future) and even a user.
We are now starting to enforce access-control based on the resource tenancy. A user can manage a resource only if the resource is under the user tenancy.

This JIRA deals with another step of "delivery-service as a resource" - enforcing access control on the management of ssl keys and DNSSEC, according to their Delivery service.
We still need to finalize the specification of this access control, and it would not be included in the first phase of tenancy introduction, assuming that the application hide from the user the ability to deal with entries relating to DSes which are not under his tenancy.